IETF Logo Mail Archive

Re: [openpgp] proof-of-work fingerprints [was: Re: Fingerprint requirements for OpenPGP]

Phillip Hallam-Baker <phill@hallambaker.com> Sat, 16 April 2016 15:56 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27B2912D7B0 for <openpgp@ietfa.amsl.com>; Sat, 16 Apr 2016 08:56:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xx_9nLTOiDRC for <openpgp@ietfa.amsl.com>; Sat, 16 Apr 2016 08:56:24 -0700 (PDT)
Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C830212D663 for <openpgp@ietf.org>; Sat, 16 Apr 2016 08:56:23 -0700 (PDT)
Received: by mail-lf0-x235.google.com with SMTP id e190so175801818lfe.0 for <openpgp@ietf.org>; Sat, 16 Apr 2016 08:56:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=Kyx68Uv7o+kAENhsRRwlQMe9jEqWxKzIQO/6iZSoOt0=; b=jr0i280xy9xC+3nXQaEln/wIemqj9t/PRSGs0iZesjXgfVIz1O6nH+J6Qmr8W4OfYg vWvoFM5thX5sUXlwP96SPjyFNZ2RNOfhW6OLx9M5ymP3wrrGrYR9R4jitRFP9gnCIOaK 97kKOwjIutLWFJIOSiQDYQm/kG9NMEKTo223V9xjopwYs0m1JSaOcn18U5oVF0QAq+j0 sqgCqgJRUo6rpKdnG8WKpSP3G8z9Yo3NUXfC4Mbwo6qIS06k9AsuGgLoTW1DiZdV4dcl HH6JX5DPPdLjvs+ugdR7eVQUDrv8xzatHDpTA/mYsQxrO90Am47zp93GD+L80s2EjDxV 6Njg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=Kyx68Uv7o+kAENhsRRwlQMe9jEqWxKzIQO/6iZSoOt0=; b=gZRensvFr4xlVEsRD78ijOB5kTwvbYHuyvEs51/kfQ10z/xNlcDD2Ap+eaF3KGY7Lf ND5U8mg+f4t1DQ4yCbZziM/cN+PuY4tYM4vRNWRSdJLv/EslpfusXTH/vAdX7nptnwl/ 1kI8HKEirDXtOUSZFhbSJksNOtKtT9nmrklbVo5K/VAbFnyKUTHyAruzt6ugNPJ5FBNf qAzSmosjEPXbU70e0hE9Tg67KKR/EfBOyVqY5U7e2moRGj3ivOidQ4EaaKrg2qYOmCMW FLbGg1epf5Ic2MJS0Yo/3AleLSn9AZchIW/nu6O3qfcoUfJq2CvgxtX1e6CXEi6I5vku z2cw==
X-Gm-Message-State: AOPr4FWkOb0KjDqUeGEHMBGqwb9XuCF9PLBgDq3zWg9L8bvzjxbynd1NOP6SOi2zzY4CG2f+5lz0d0WyhAUc7g==
MIME-Version: 1.0
X-Received: by 10.25.135.194 with SMTP id j185mr8454996lfd.39.1460822181887; Sat, 16 Apr 2016 08:56:21 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.3.102 with HTTP; Sat, 16 Apr 2016 08:56:21 -0700 (PDT)
In-Reply-To: <87potuadxq.fsf@alice.fifthhorseman.net>
References: <87vb3nslqh.fsf@alice.fifthhorseman.net> <87potug3s5.fsf@wheatstone.g10code.de> <87potuadxq.fsf@alice.fifthhorseman.net>
Date: Sat, 16 Apr 2016 11:56:21 -0400
X-Google-Sender-Auth: TxEn3B7CJKRZ40dDppY5Oqow7nE
Message-ID: <CAMm+Lwi95bv_QG751=exgDpH3UpP2-oAeS++5gqi-sxjMqANKw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/ndn4y9ue9KtH2yZ6h4DHn3dwQS4>
Cc: Werner Koch <wk@gnupg.org>, IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] proof-of-work fingerprints [was: Re: Fingerprint requirements for OpenPGP]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Apr 2016 15:56:26 -0000

This is almost the scheme I am looking at. The main practical
difference is that I don't see the need to be quite so granular. If
people are going to use proof of work, then I would start off with a
threshold designed to take about an hour of processing on contemporary
machines, for the sake of argument, say that is 24 bits. Then I would
allow for prefixes of 24, 34, 40 bits.

This approach can be encoded using a leading 1s approach. So each
increase in work saves 7 bits.

The increase in work may look dramatic, but it really isn't because I
expect people would throw parallel machines at the problem. Also note
moving from RSA to ECC saves a huge chunk of keygen time. So any
compression scheme is having to deal with a vast difference in
computing demands and capabilities.

The wonderful thing about exponents is that they tend to quickly
balance any mismatch in such things.


The other trick I think is very useful is to use truncated
fingerprints as keyIds. Lets say that we start with a SHA-51





On Tue, Apr 12, 2016 at 2:18 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> On Tue 2016-04-12 13:01:14 -0400, Werner Koch <wk@gnupg.org> wrote:
>> According to Peter, this means SHA-256.  There may be no proof-of-work
>> to for creating a key and thus a structured fingerprint.  (Sometimes you
>> have to create a lot of one-off keys.)
>
> The one proposal i've heard that keeps things somewhat simple but still
> allows the possibility of an increased cost to an adversary intent on a
> preimage attack is related to floating point implementations, and was
> suggested by PHB.  I try to describe my understanding of the scheme
> below, but writing it all down makes me think that "somewhat simple"
> might be overselling it; there are quite a few complications.
>
> Here goes:
>
>  * Start from a design of a fingerprint of X bits, using a truncation of
>    digest of size Z (where Z > X).  for example, a 200-bit fingerprint
>    from sha-256.  this would typically mean an adversary has to do about
>    2^200 sha-256 operations to find a match.  (this is an impossibly
>    high bar if we're talking about brute force, but if we assume that
>    most cryptanalysis of SHA-256 allows an attacker to shave off some
>    sizeable work factor, it represents the "safety margin" against
>    unknown cryptanalysis of this type)
>
>  * Instead, make the fingerprint X+N bits, where the first N bits
>    indicate the number of leading zeros of the digest.  Now if i do a
>    bit of work to generate keys with, say, 10 leading zeros, an attacker
>    will probably need to do about 2^10 more digests to find a match.
>
> So if we're doing a 200-bit truncation of sha-256, and we have an 8-bit
> count of leading zeros, and the digest produced is (in hex -- i'm not
> making an argument about choice of textual representation here, just
> showing in hex for discussion):
>
>  001a1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2
>
> then it would result in a fingerprint of (again in hex for discussion):
>
>   0ba1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da5
>
> That is: 11 (0x0b) bits of zeros, followed by a 1 bit, followed by
> a1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da5
>
> More precisely, under this scheme, fingerprint generation looks like:
>
> scan1(x) : the position of the left-most 1 bit in bitstring x
>   A[n:m] : bits n through m-1 of bitstring A
> enc(n,b) : a bitstring of length b encoding n as an unsigned int
>  dgst(x) : a fixed-length bitstring digest of bitstring x (e.g. sha-256)
>        X : number of explicitly-represented bits
>        N : size of bitfield for counting leading zeros
>       || : bitstring concatenation
>
>  def fpr(z):
>     h = dgst(z)
>     k = scan1(z)
>     return enc(k,N) || h[z+1:z+1+X]
>
>  * note that first bit that is set to 1 is omitted from the
>    representation (it's present by implication).  This isn't just a hack
>    to squeeze one more bit of entropy out of the fingerprint, it's
>    arguably necessary to ensure that there is exactly one fingerprint
>    that corresponds to any given digest. Otherwise, i can represent a
>    fingerprint with 3 leading zero bits as:
>
>  <3> 1100101...
>
>    or:
>
>  <2> 01100101...
>
>    or:
>
>  <1> 001100101...
>
>    or:
>
>  <0> 0001100101...
>
>     The other alternative is to require that the leading bit after the
>     zero-run prefix is always 1 (unless the zero-run prefix is maxed
>     out?), which would mean that certain fingerprints are simply invalid
>     (we'd want tools to reject them?)
>
>   * note also that for some choices of dgst and N it would mean there
>     could be some keys that are un-fingerprintable.  For example, if we
>     chose dgst = sha-256 and N = 5, then any key that has a sha-256
>     digest with a leading run of more than 31 zeros might be
>     unrepresentable.
>
> With all these caveats, i confess the much-simpler construction "200-bit
> truncation of sha-256" looks pretty appealing :)
>
>            --dkg
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email